*** Advice&Tools for virus/trojan/malware Removal & Prevention***
this list of questions & tools is here to help you in case of problems with viruses, worms, trojans and other malware...
Please work through it, answer the questions (in your own topic, please, not here..)
and have a go at the advised tools & removal instructions..
*
A word of caution at first:
If a virus, trojan, worm etc. is found, you should
a) not panic
b) try and get some information on it & the proper removal procedure
c) try to REPAIR or CLEAN it first; only if this is not possible:
d) MOVE it to the avast CHEST
-> DON'T delete it (because then it's not possible to undo any changes if the system is not working properly anymore), especially if you don't really know what you are doing..
*
Check if the Worm or Virus is included in the list of malware that the avast CLEANER can remove:
http://www.avast.com/i_idt_171.html
If so, please try the Cleaner first...
It's also very helpful in a number of cases where programs won't run (e.g. after a botched-up attempt to remove/delete a virus or worm)
*
Don't panic, but:
If you have found an ACTIVE Backdoor (or Keylogger/Password-Stealer etc.) on your system, please read the next article to decide whether to just remove it or better to flatten the system and properly redo it (in case you have sensitive data on the PC, or if you use online-banking etc etc..)
***
So here goes with the info we need to help you and/or how you can resolve this yourself:
- What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!
- What name does avast give the virus (e.g. like: "Win32:Netsky-P [Wrm]" ) ?
- Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ?
You'll get this info from the Alert/PopUp window or from avast's report/Log-files. If you can't start avast, look for the info in the logfiles in the avast (sub-)folders and
in the EventLog of Win XP / 2000: Controlpanel -> Administration -> Event-log
Sometimes, to get rid of it, it's enough to:
- clear all TEMP-folders (via drive CleanUp AND best also manually)
- empty Temp.Int.Files folder(s) (via IE->Extras-Internetoptions->Delete files, including OFFLINE files !!) and
- empty java-Cache (controlPanel -> java-Plugin -> Cache)
Or, if the virus/trojan/worm is found (only) in the RESTORE folder of WIN ME/XP:
disable system restore INCLUDING a REBOOT!!
---> Howto: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Test the file with OnlineScanners e.g. from KAV, Trend & RAV (see below) to get a more specific name. You need to temporarily pause AV-ResidentShield/Monitor/Guard to be able to scan the file online
Trend: http://housecall.trendmicro.com/housecall/start_corp.asp
RAV: http://www.ravantivirus.com/scan/indexie.php (use with IE & ActiveX enabled)
KAV: http://www.kaspersky.com/remoteviruschk.html
*** Multiple Scan-Engines: JOTTI & VirusTotal
(If they all don't show it as infected, please send it in a password-protected RAR- or ZIP-file to:
virus (at) avast.com
-> How To treat False Positives
Sometimes (especially if the trojan is of the "trojan-gen", "trojano" or "startpage" kind):
Spybot, Ad-aware and Cwshredder might also help
--> see www.lurkhere.com ->nicefiles and www.lavasoft.de
Be sure to update them after installing
- Clean/Remove the Virus/Malware and it's system modifications according to VirusInfos
from Avast, VGREP & TrendMicro,
McAfee & Symantec
You might also try searching for the virus name or filename with google or here in the board search (see above).
*** If you search for virus names here or elsewhere, it's often better NOT to use the complete name given by avast, but only the main/central part of it:
-> instead of "Win32:DyfucDldr-C [Trj]" use "Dyfuc" because other antivirus companies name it differently (e.g. "TrojanDownloader.Win32.Dyfuca.af"),
(Of course, when you post here in the board, please give us the complete & exact name,
up to the last :-/[ & space if possible ).
There are also lots of sites which provide free Removal Tools for some wide-spread viruses, worms & trojans:
--> First of all, of course avast's CLEANER:
http://www.avast.com/eng/avast_cleaner.html
Then have a look at these sites:
http://www.bitdefender.com/html/free_tools.php
http://vil.nai.com/vil/averttools.asp#stinger
http://securityresponse.symantec.com/avcenter/tools.list.html
CLRAV: ftp://ftp.kaspersky.com/utils/clrav/clrav.zip
ESCAN: http://www.mwti.net/antivirus/free_utilities.asp
Set the options as shown in this ->Screenshot<-
*
*** NOTE: If you (did) use an AV-product of PANDA, be prepared to get a harmless "false positive" about it from avast, because PANDA don't encrypt their files, so that avast (and lots of other scanners !!) CORRECTLY identify (harmless) pieces/strings of virus code in it
(infamous examples: "KUANG2" & "MATYAS" detected in files like imscan.dll & PAV.sig)
For more details, please read HERE
*
General removal procedure:
- For Win ME/XP: best disable system restore (including a REBOOT), especially if the virus is (also) found in the RESTORE folder
- You might want to start your WIN in "SafeMode", as then only the "bare bones" of WIN are loaded: lots of Malware processes are not active then and the nasties are easier to remove
-> How to start the computer in Safe Mode
- kill respective Virus/Worm/Trojan process with task manager ( CTRL + ALT + DEL )
- search for the file/process names in the registry; remove the malware's startup entries in the registry
!!! Make a Registry backup beforehand (at least backup the registry keys you change) in case something goes wrong:
How to back up the Windows registry
- disinfect/clean or (if disinfection is not possible) move the file to quarantine (avast's CHEST); this may be possible only after a reboot
*
When you've removed the virus/malware:
- Scan your whole system with updated AVAST (and maybe a 2nd scanner ,e.g. TrendMicro, RAV, COD to check whether your PC is clean)
- If needed, reenable system restore on Win ME/XP
*
If you still can't remove it, you could post a logfile of Hijackthis here in the forum (but in a new/your own topic, please): http://tomcoyote.org/hjt
This shows what stuff (good or bad) is starting on your PC and is excellent for diagnosis.
Be sure to unpack the ZIP-file, i.e. NOT to run hijackthis.exe from TEMP-folder or Desktop, but from a new folder of its own.
Otherwise you might lose backups of the stuff changed with it..
DON'T remove/fix anything with it yet, if you're not 100% sure, as this tool lists GOOD & BAD stuff starting/running !!
& please read this first: http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html
*
VERY IMPORTANT: Secure your system !!!
-> NO! antivirus detects everything or offers 100% protection, and there are continuously found new security holes in WINDOWS, but you can do much (with just a few steps) to ensure that YOUR pc is quite safe from known nasties:
- Change passwords or set more secure ones, disable or secure shares, install patches/updates for WIN & IE (InternetExplorer);
- Disable ActiveX and Scripting in IE except for known, secure sites
- Even better, use a secure browser/Mailprogram like Opera, Mozilla or Netscape, instead of the notoriously unsafe IE & Outlook !
*** Read How did I get infected in the first place and follow Tony's advice. He will tell you about some ways to make your computer more secure and link to some excellent free tools to help with that.
***
Further Details and Links via the board search above ..:
http://forum.avast.com/index.php?board=;action=search
E.g. entering a virus/trojan name there (or even the filename of an infected file) will usually get you lots of topics with specific advice for its proper removal
Another HotSpot for Malware-Removal & Security is Eddy's page
Please also read Technical's excellent "User's FAQ": to get more info on problems/tweaks/advice related to the functions of AVAST & WIN
Another place you want to look at are the
avast! 4 FAQs & Links! (for almost everything)
*
If you couldn't resolve the problem yourself, you're very welcome to start/continue your own topic asking for further help, but please:
- provide the requested info & maybe other stuff you deem important
- describe in detail what you've tried so far, and with what results..
What to do if an active BACKDOOR is found..
The following instructions of course DON'T apply generally to all kinds of viruses/malware (so don't panic ), especially NOT to "classic" viruses, e.g. simple EXE-Infectors (without further functionalities) or Boot/MBR-infections.
They are however aimed at the rather large category and growing threat of BACKDOORS & some trojans/worms (with keylogging and/or password-stealing functionality ..)
So, here's some advice if you have or had an ACTIVE Backdoor (or Keylogger/Password-Stealer etc.) on your system:
(ACTIVE means here that the backdoor installed itself to the system, i.e. you find its startup-entries, registry changes and its malicious files described in the respective virus/backdoor info. Often this means that its files are detected in the WINDOWS/WINNT or SYSTEM32/SYSTEM folder.
If however the backdoor/trojan was caught/blocked by avast's residentShields in time and it is found ONLY in e.g.
- Temporary internet files
- TEMP-folders
- a new Download/Email (which you didn't ever click/activate, of course)
then you're probably lucky, because the backdoor is inactive and wasn't able to install/do any harm.
*
So, if the backdoor is/was active:
--> At least change all your passwords after removal !!!
This means:
- All Admin-/User-passwords
- Also other important passwords which were entered on the PC via keyboard since the infection occured: As you probably don't know for sure when it happened this usually means ALL passwords) .
This ESPECIALLY includes PIN's, (online-)banking-/onlineshopping-/ebay data etc etc..
- Passwords or other sensitive data saved somewhere on the PC, especially if they are not or only weakly encrypted (something you shouldn't do anyway..!!)
This MUST be done AFTER you're pretty sure that the backdoor is completely removed from the PC, and while you're disconnected from the internet.
(Changing the Admin/User passwords can be done additionally before you start removing the backdoor, but then change to new/unused/secure passwords AGAIN after Removal)
*
Again: Don't panic now...
Some people advise a complete redo of the system from scratch, as it's compromised=not secure anymore.
-> A malicious user could read/modify/delete all the data on your system, log/record your passwords, PIN's etc etc..
This "setting up from scratch" is of course the ONLY way to ensure that your system is again safe & secure to spying/intrusion, because even if..
- you removed the backdoor/trojan from the system according to instructions &
- a virus/trojan scanner gives your PC a clean bill of health,
you CAN'T be sure that the backdoor (or a malicious user who recognized/controlled it) didn't do any other sneaky modifications to the system which you probably wouldn't detect...
But everybody has to decide this for themselves according to how important the security of their system & the sensitivity of their data is because:
- some people understandably don't really want to go to all this trouble, especially not for a machine which is only used for surfing or gaming..
- redoing/setting up the machine again needs to be done exactly RIGHT, otherwise it's pointless !!
If you don't do this properly, you might just get reinfected with e.g. a network-worm with backdoor functionalities, before you're even finished with installing/updating Windows & all your other stuff...
A "proper" Redo/Reinstallation of the system means:
a) backup of data, ServicePacks/Windowsupdates/patches, important drivers, and maybe emails, adressbooks, contacts and important settings (before you restore them, you must of course scan the backups thoroughly for viruses/backdoors etc etc)
b) FORMAT C: (or whichever is the system/windows partition)
c) Reinstall Windows WITHOUT going online
d) Apply ALL ServicePacks & important patches/windowsupdates OFFLINE, or behind a properly configured firewall (WIN XP's firewall should suffice, if ACTIVATED!!).
That means do it before you ever connect to the internet !! Otherwise you might just get infected automatically by network worms (this happens without you even opening the browser or reading an email, just by going online)
- Of course changing all password & generally securing your system & IE still applies (see above);
again, you must do this while you're still OFFLINE/before EVER going online!!